CVE-2017-18305

XBL sec mem dump system call allows complete control of EL3 by unlocking all XPUs if enable fuse is not blown in Snapdragon Mobile, Snapdragon Wear in version MDM9206, MDM9607, MDM9650, SD 210/SD 212/SD 205, SD 835.

CVSS v3 7.0 HIGH
CVSS v2.0 6.9 MEDIUM

7.0^/10

CVSS v3 : HIGH

Vector : AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability : 1.0 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

6.9^/10

CVSS v2.0 : MEDIUM

Vector : AV:L/AC:M/Au:N/C:C/I:C/A:C

Exploitability : 3.4 / Impact : 10.0

Access Vector LOCAL

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
http://www.securitytracker.com/id/1041432	Third Party Advisory VDB Entry
https://source.android.com/security/bulletin/2018-08-01#qualcomm-closed-source-components	Third Party Advisory
https://www.qualcomm.com/company/product-security/bulletins	Vendor Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:qualcomm:mdm9206_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:qualcomm:mdm9206:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND

cpe:2.3:o:qualcomm:mdm9607_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:qualcomm:mdm9607:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND

cpe:2.3:o:qualcomm:mdm9650_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:qualcomm:mdm9650:-:*:*:*:*:*:*:*

Configuration 4 (hide)

AND

cpe:2.3:o:qualcomm:sd_210_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:qualcomm:sd_210:-:*:*:*:*:*:*:*

Configuration 5 (hide)

AND

cpe:2.3:o:qualcomm:sd_212_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:qualcomm:sd_212:-:*:*:*:*:*:*:*

Configuration 6 (hide)

AND

cpe:2.3:o:qualcomm:sd_205_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:qualcomm:sd_205:-:*:*:*:*:*:*:*

Configuration 7 (hide)

AND

cpe:2.3:o:qualcomm:sd_835_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:qualcomm:sd_835:-:*:*:*:*:*:*:*

History

No history.

Information

Published : 2018-10-23 13:29

Updated : 2019-10-03 00:03

NVD link : CVE-2017-18305

Mitre link : CVE-2017-18305

CVE.ORG link : CVE-2017-18305

JSON object : View

Products Affected

qualcomm

mdm9607
sd_205
sd_210_firmware
sd_212_firmware
sd_205_firmware
sd_835_firmware
sd_835
mdm9607_firmware
mdm9650
mdm9650_firmware
mdm9206_firmware
sd_212
sd_210
mdm9206

CWE

NVD-CWE-noinfo

{"id": "CVE-2017-18305", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.9, "accessVector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "authentication": "NONE", "integrityImpact": "COMPLETE", "accessComplexity": "MEDIUM", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "acInsufInfo": false, "impactScore": 10.0, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 3.4, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 7.0, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.0}]}, "published": "2018-10-23T13:29:02.557", "references": [{"url": "http://www.securitytracker.com/id/1041432", "tags": ["Third Party Advisory", "VDB Entry"], "source": "product-security@qualcomm.com"}, {"url": "https://source.android.com/security/bulletin/2018-08-01#qualcomm-closed-source-components", "tags": ["Third Party Advisory"], "source": "product-security@qualcomm.com"}, {"url": "https://www.qualcomm.com/company/product-security/bulletins", "tags": ["Vendor Advisory"], "source": "product-security@qualcomm.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "XBL sec mem dump system call allows complete control of EL3 by unlocking all XPUs if enable fuse is not blown in Snapdragon Mobile, Snapdragon Wear in version MDM9206, MDM9607, MDM9650, SD 210/SD 212/SD 205, SD 835."}, {"lang": "es", "value": "La llamada del sistema XBL sec mem dump permite el control total de EL3 desbloqueando todos los XPU si no se se sobrecarga un fusible \"enable\" en Snapdragon Mobile y Snapdragon Wear en versiones MDM9206, MDM9607, MDM9650, SD 210/SD 212/SD 205 y SD 835."}], "lastModified": "2019-10-03T00:03:26.223", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:qualcomm:mdm9206_firmware:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A960B86A-C397-4ACB-AEE6-55F316D32949"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:qualcomm:mdm9206:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "D79B8959-3D1E-4B48-9181-D75FE90AAF98"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:qualcomm:mdm9607_firmware:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A35FECFB-60AE-42A8-BCBB-FEA7D5826D49"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:qualcomm:mdm9607:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "E9765187-8653-4D66-B230-B2CE862AC5C0"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:qualcomm:mdm9650_firmware:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "35B7E25E-FA92-4C36-883C-CFF36F4B3507"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:qualcomm:mdm9650:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "ECD99C6F-2444-4A5E-A517-0C8023DDF23D"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:qualcomm:sd_210_firmware:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0FA80D57-3191-47CF-AD3F-9F2D64E443FE"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:qualcomm:sd_210:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "B2AFB212-F01A-4CEB-8DB4-2E0CC2308CB6"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:qualcomm:sd_212_firmware:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E0986EF1-0974-488E-84C4-6880F876CE55"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:qualcomm:sd_212:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "8C08BA58-2EBC-4A22-85A4-2ECD54693B9B"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:qualcomm:sd_205_firmware:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "27110478-4C08-49E6-BD53-8BAAD9D5BD65"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:qualcomm:sd_205:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "3664D302-D22A-4B25-B534-3097AE2F8573"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:qualcomm:sd_835_firmware:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1CFF35A3-1472-4665-9DAB-1ABC45C0D5B4"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:qualcomm:sd_835:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "F930E9BF-C502-49C6-8BE8-9A711B89FA1B"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "product-security@qualcomm.com"}